Easy-to-use attack exploits IPv6 traffic on IPv4 networks

By William Jackson

Aug 09, 2013

An automated attack tool released last week at the DEF CON hackers’ conference lets an outsider intercept IPv6 traffic by setting up a rogue router on an IPv4 network. By tricking operating systems into using the malicious router, attackers could read and modify unprotected Internet traffic before passing it along.

This man-in-the-middle attack works because most current operating systems, including Windows 7 and 8, and Mac OS X, are enabled to use the next generation of Internet Protocols by default, but most networks still are configured to use only IPv4. If the malicious router advertises itself on the network as accepting IPv6 traffic, host operating systems will use that router and the traffic will be invisible on the IPv4 network.

“When you set up a Windows box, by default IPv6 is enabled,” said Scott Behrens, senior security consultant at Neohapsis.

Behrens, along with researcher Brent Bandelgar, demonstrated the attack at DEF CON as the automated script, named Sudden Six, was released by Neohapsis.

Behrens said that releasing the script, intended for use in penetration testing, should increase awareness of the risks of unmanaged IPv6 traffic on networks and the need to either prohibit IPv6 traffic or establish a managed infrastructure that supports it safely. “I don’t know if this will be the threat that will kick-start adoption” of IPv6, he said. But it is one more reason to enable IPv6 on your network rather than waiting for a hacker to do it for you.

Federal agencies are under a 2010 mandate from the Office of Management and Budget to enable IPv6 on their networks. Public-facing services were to be enabled to use native IPv6 by October 2012, with internal applications and networks to be enabled two years later. Nearly a year after the initial deadline, just 29 percent of 1,330 government domains tested by the National Institute of Standards and Technology on Aug. 8 have completed enabling the protocols on public-facing services. Another 39 percent are in progress.

The nearly one-third of agencies that have not begun the process of enabling IPv6 on their networks are likely to be vulnerable to a man-in-the-middle attack from a rogue server.

The concept for the attack was developed in 2011 by Alec Waters, who described a technique to use Stateless Address Auto Configuration (SLAAC) to trick Windows Vista and Windows 7 IPv6-aware hosts into using a rogue router as its default gateway by broadcasting IPv6 router advertisement messages over a network. He called it the SLAAC Attack. The router would receive IPv6 requests from the host, translate them into IPv4 and pass them along to the legitimate network, putting itself in the middle of the flow. An attacker controlling the router could observe and modify the traffic. This would let him steal unencrypted information, misdirect requests or serve up phony Web pages that could be used to steal log-in credentials.

“When we were playing with the SLAAC Attack in the lab, it was hard to set up,” Behrens said. It was kludgy, required considerable configuration and took several weeks to get up and running. It also did not work properly with Windows 8, which runs IPv6 by default. “We wondered how we could make this reproducible and easy for our penetration testing.”

The result was Sudden Six, with a script that installs code and configures the attack host in about a minute rather than the 40 hours needed to set up the SLAAC Attack.

The attack has limitations. “It has to run on your local network,” Behrens said. That means an attacker would need an insider to install it on the network, either as an accomplice or through social engineering. Another drawback is that many websites use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt traffic, which means the rogue server in the middle will not be able read it.

Because of these factors and the complexity of the original attack, Behrens said the SLAAC Attack has not been found in use in the wild. But the availability of Sudden Six could make the attack more practical, making it more important to defend networks against unmanaged IPv6 traffic.

The ultimate solution is to enable IPv6 end-to-end on your network so that the traffic is visible and a rogue server advertising IPv6 will not get preference from hosts. But that takes planning, effort and time and “a lot of organizations aren’t there yet,” Behrens said. Until then, IPv6 should be disabled by policy on the network so that hosts do not use it, or tools should be used such as Cisco’s IPv6 RA Guard, which blocks rogue router advertisement messages.